General

  • Target

    762256f7246e75a7537109d5371af60b.bin

  • Size

    332KB

  • Sample

    240430-bvjvwsgg6t

  • MD5

    8321db26cfb8f9bc86ae632953b14d21

  • SHA1

    b9ac16722bbd992765118030eb3e95fc64c93be6

  • SHA256

    b7f470c5e896972a44760bfebe1fe5b0e0e050bff65ae77441a14bb17bd8d050

  • SHA512

    f9728d505bfa868f18d6c5125e543207aafa33cbd6e5ce3f296c8aa30a18836456a5549aaf4dfb456dfe01d3306b49a8d03a5ad5a44889d199cd8424370371eb

  • SSDEEP

    6144:kaxSbRIlKPp6PTp4wdRJx4CJWif3Gjg7KdT7elQt41DPwcoHQcELpDSCpxYq5SF:ka0bWlKmx4CJBCkA6Cq1DX61EoCpUF

Malware Config

Extracted

Family

stealc

C2

http://185.172.128.150

Attributes
  • url_path

    /c698e1bc8a2f5e6d.php

Targets

    • Target

      e43b79bf105ec37a7cfff9ad84ea28a0320f1aeba4b47fa5ad119672f9b52acb.exe

    • Size

      451KB

    • MD5

      762256f7246e75a7537109d5371af60b

    • SHA1

      953a670596dc2ded2aa93b6a1e6e3332aadfd7af

    • SHA256

      e43b79bf105ec37a7cfff9ad84ea28a0320f1aeba4b47fa5ad119672f9b52acb

    • SHA512

      aeb4937d560d212046404788cbfe85fafb412736c6e487409c6cbca9827c4a127865f060acb6982f07b78411ceec8052d29f8bb893efe7c357640bd594c55b48

    • SSDEEP

      6144:+0HYlMeYOX8mE94DowCxV0jZVqmnvi1UVX1Zbt2S0gjaUH:+04lMXmQ4LCxWjZji1U/rhaUH

    • Detect ZGRat V1

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • Stealc

      Stealc is an infostealer written in C++.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks